postfix is vulnerable to "Secure Client-Initiated Renegotiation" DoS according to testssl
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
postfix (Ubuntu) |
Incomplete
|
Undecided
|
Unassigned |
Bug Description
According to testssl postfix is vulnerable to "Secure Client-Initiated Renegotiation" DoS according to testssl, and there seems to be no obvious way to change this using configuration:
testssl@sendar:~$ ./testssl.sh -t smtp 127.0.0.1:25
...
Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat
1) root@sendar:
Description: Ubuntu 14.04.4 LTS
Release: 14.04
2) root@sendar:
postfix:
Installed: 2.11.0-1ubuntu1
Candidate: 2.11.0-1ubuntu1
Version table:
*** 2.11.0-1ubuntu1 0
500 http://
100 /var/lib/
2.11.0-1 0
500 http://
3) What I expected to happen
Postfix should either be resilient to this out of the box, or there should be a config option to make it so
4) What happened instead
Postfix is vulnerable to this condition, without an obvious way to change this using configuration.
information type: | Public → Public Security |
Changed in postfix (Ubuntu): | |
importance: | Undecided → Critical |
Changed in postfix (Ubuntu): | |
status: | New → Confirmed |
The same vulnerability is reported for Postfix 3.1.0 under Ubuntu 16.04.1. But I am not sure this is a real vulnerability or merely an overly-cautious report. Some info at http:// www.educatedgue sswork. org/2011/ 10/ssltls_ and_computation al_dos. html.